Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Log Data Tampering: Windows File/Directory Auditing?

kholleran
Communicator
‎11-02-2010 07:02 PM

Hello,

I need to monitor the folders that the log files are in. I need to be able to show that no one is trying to directly access the log files and delete them. Is there a way to do this within Splunk? If not, I would like to set up Windows File Auditing on the database files in the directories and alert if the changes are made by anything other than the Splunk System. How can I specify in Windows EVERYONE but not Splunk (which is running as Local System I believe - was installed at the default user setting).

Thanks very much for your help.

Kevin

0 Karma
Reply

ftk
Motivator
‎11-02-2010 07:16 PM

You can set up SACLs (Auditing entries) in Windows, and do two auditing entries -- one for the EVERYONE group that logs any changes, and one for the splunk user that exempts the user from getting changes logged.

Reply

ftk
Motivator
‎11-03-2010 12:36 PM

It should exempt an account if you leave all boxes cleared, not 100% sure right now. IF that doesn't work, I would run Splunk as a separate user account, then modify permissions to only allow the splunk account to modify the logs and change permissions, then place auditing entries for EVERYONE that audit modify/delete and change permission failures as well as change permission successes to catch everybody but the splunk account tampering with the files.

0 Karma
Reply

kholleran
Communicator
‎11-02-2010 08:29 PM

How do you do an explicit do not audit? I see where you can turn it on and off but not an explicit "No auditing" that I could apply to Local System to override the Everyone built-in.

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

AI workloads are different. They demand specialized infrastructure—powerful GPUs, enterprise-grade networking, ...

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...